Setting up Samba with winbindd, PAM and nsswitch
Ruben de Groot, 13-08-2003

This howto describes how we configure a FreeBSD server to act as a
fileserver in a Windows domain, authenticating against the (Windows)
PDC. Using PAM and nsswitch, we will even be able to login as a windows
domain user, without having to maintain a seperate database of Unix
accounts.

1 Prerequisites

FreeBSD 5.1 or later including ports collection

NT4 or W2k Primary Domain Controller

2 Samba installation
It's important to install samba with the right options activated. Change
to the /usr/ports/net/samba directory and
type:

make WITH_WINBIND_NSS=yes

A menu is presented where we can select various other options. As a
minimum select ACL support, Audit, Winbind and Winbind Auth Challenge.
After the compilation has successfully completed type "make install" to
finish the installation.

3 Samba configuration
For a detailed description of all the samba configuration options we
refer to the samba documentation on
www.samba.org. The following basic samba configuration file (/usr/local/etc/smb.conf) will make samba act as a
fileserver called "SOLEIL" in the domain "BZERK".

4 Nsswitch configuration
Starting at FreeBSD 5.1, it is possible to configure alternative
password and group databases through the /etc/nsswitch.conf configuration file. If it
doesn't exist allready, just create the file with the following two
lines:

passwd: files winbind
group: files winbind

Now if the server needs to lookup account information on a user or
group, it will first search its local password database (files),
followed by de domain users database on the Primary Domain Controller
(winbind).

5 PAM configuration
At the time of this writing, the pam_winbind.so module will not
automatically be installed by the samba port, so we will do this by
hand. First copy the module to /usr/local/lib:

Next we have to modify some of the files in /etc/pam.d. Which files need
modification depends on which services we want to provide. In this
example we will provide ftp access to all domain users. The following
modified /etc/pam.d/ftpd makes this
possible:

(Don't forget to put the line "/bin/false" in /etc/shells, as this is
the default shell of all domain users (see smb.conf above) and ftpd
won't accept users whose shell is not in /etc/shells)

6 Starting the daemons
Now it is time to actually start Samba and winbind. The samba port has
installed a sample startup script, which we will rename first so it will
be executed at the next boot. Then we execute the script and finally we
start winbindd.

Note that you probably want to edit the samba.sh script, so that it will
start winbindd automatically at boot time as well.

7 Joining the Domain
To add the Samba server into a Windows NT Domain, in this case the BZERK
domain, as a Domain member capable of authenticating user accounts to
any Domain Controller in the same way as a Windows NT Server, use the
following command:

smbpasswd -j BZERK -U Administrator

You will be asked for the Domain Administrator's password.

8 Administration
If all went well we now have a working fileserver and member of the
domain that will for normal users be indistinguishable from an ordinary
Windows fileserver (except for speed probably, samba is known to be
quite fast in comparison to native Windows filesharing).
Administration is straightforward as well. Most administrative jobs can
be done with native Windows tools as well as Unix commands. We will end
this document with some examples of usefull Unix commandline tools for
administering the box.

Appendix A - recompiling ls
In FreeBSD 5.1, a lot of tools in the root filesystem are still
statically linked binaries. This can be a real PITA, especially with
/bin/ls, which will not show domain user and group names, but only their
numerical id's when checking file/directory permissions.
The workaround is to recompile /bin/ls as a dynamically linked binary
(you need the full sources installed on your system for this)

cd /usr/src/bin/ls
make clean
make NOSHARED=NO depend
make NOSHARED=NO
make NOSHARED=NO install

After this, ls will show full user and groupnames of Domain Users and
Groups.